Dear colleagues,

Starting December 2, 2025, Microsoft Intune will also use Azure Front Door IP ranges for service connectivity. These addresses are tagged as AzureFrontDoor.MicrosoftSecurity. Units that manage firewalls, proxies, or outbound traffic rules must update configurations to ensure uninterrupted device and app management.

What is changing

• • Intune network endpoints will expand to include Azure Front Door ranges.

  • Existing Intune endpoints remain required. Do not remove them.

  • This change is part of Microsoft’s Secure Future Initiative to improve security alignment.

Who is affected

• • Units that restrict outbound traffic using firewalls, routers, proxies, VPNs, or network security groups.

  • All Intune-managed devices (mobile device management and app protection policies).

Action required

• • By December 1, 2025, update firewall rules to allow outbound traffic on port 443 for the AzureFrontDoor.MicrosoftSecurity service tag.

  • Alternatively, add the new IP ranges from the official JSON files (search for “AzureFrontDoor.MicrosoftSecurity”).

  • Keep existing Intune endpoints in place.

Timeline

• • Now: Review firewall allowlists and plan updates.

  • December 1, 2025: Deadline for updates.

  • December 2, 2025: Intune begins using new endpoints.

Details

Failure to update rules may cause:

• • Device login issues

  • Loss of connectivity with Intune

  • Disruption to apps like the Intune Company Portal or those protected by app protection policies

Support

• • For technical guidance, see Microsoft’s documentation below.

Learn more:

• • Message Center MC1147982: Update firewall configurations to include new Intune network endpoints

  • Intune network endpoints (Microsoft Learn)

  • Support tip: upcoming Intune network changes (Microsoft Tech Community)

Kind regards,  

Enterprise Applications & Solutions Integration (EASI)  

Information Technology Services 

University of Toronto